Glossary O

OAuth is an authorization framework that enables third-party applications to access user resources without exposing credentials. OAuth 2.0 defines grant types for different scenarios: authorization code (web apps), client credentials (machine-to-machine), and device code (CLI tools). It's the protocol behind "Connect with GitHub" and API access token flows.

Object storage organizes data as objects — each containing data, metadata, and a unique identifier — accessible through HTTP APIs. Unlike block or file storage, objects are immutable (replaced, not modified) and infinitely scalable. Object storage is ideal for unstructured data: backups, media files, data lake landing zones, and static web assets. S3, GCS, and Azure Blob are the dominant services.

Observability is the ability to understand the internal state of a system from its external outputs — logs, metrics, and traces. A system is observable if engineers can answer arbitrary questions about its behavior without deploying new instrumentation. Observability extends traditional monitoring by enabling exploration of unknown failure modes, not just alerting on predefined conditions.

The Open Container Initiative (OCI) is an open governance body that maintains industry standards for container formats and runtimes. The OCI Image Specification and Runtime Specification ensure containers built with any OCI-compliant tool (Docker, Buildah, Podman) run on any compliant runtime (containerd, CRI-O). OCI standards prevent vendor lock-in in the container ecosystem.

OCI (Open Container Initiative) artifact security encompasses controls for signing, verifying, and attesting container images and other artifacts stored in OCI-compatible registries. The Notary v2/Notation specification and cosign (Sigstore) provide mechanisms to sign OCI artifacts with cryptographic signatures tied to developer or CI/CD system identities. Admission controllers can enforce signature verification policies, blocking deployment of unsigned or unverified container images.

OIDC is an identity layer built on top of OAuth 2.0 that enables client applications to verify user identity and obtain basic profile information. It provides a standardized way to handle authentication across web, mobile, and API applications. OIDC is the protocol behind most modern "Sign in with Google/GitHub" flows.

OLAP is a category of database systems optimized for complex analytical queries over large datasets, supporting operations like slicing, dicing, drilling down, and aggregating data across multiple dimensions. Columnar storage formats (Parquet, ORC) and vectorized query execution are key technologies enabling OLAP performance. Snowflake, BigQuery, and ClickHouse are modern OLAP systems.

OLTP databases are optimized for high-throughput, low-latency transactional workloads — inserting, updating, and querying individual records. Row-oriented storage and ACID transactions are hallmarks of OLTP systems like PostgreSQL, MySQL, and Oracle. OLTP databases power application backends; ETL/ELT pipelines replicate their data to OLAP systems for analytics.

On-call is the practice of designating engineers to be available outside normal working hours to respond to alerts and incidents affecting production systems. Effective on-call programs include clear escalation policies, well-maintained runbooks, alert tuning to reduce noise, and rotation schedules that distribute burden fairly. Excessive on-call load is a leading contributor to engineer burnout.

ONNX is an open format for representing machine learning models that enables interoperability between training frameworks (PyTorch, TensorFlow) and inference runtimes (ONNX Runtime, TensorRT). Models exported to ONNX can be optimized and deployed across diverse hardware targets including CPUs, GPUs, and edge devices without framework-specific dependencies.

OPA is a general-purpose policy engine that decouples policy decisions from application code using a declarative language called Rego. In Kubernetes, OPA (via Gatekeeper) enforces admission control policies that prevent non-compliant workloads from being deployed. OPA is also used for API authorization, infrastructure policy enforcement, and microservice access control.

An open redirect vulnerability allows an application to redirect users to arbitrary external URLs through a parameter that is not properly validated. Attackers exploit open redirects to lend legitimacy to phishing attacks — sending a link to a trusted domain that immediately redirects to a malicious site. Prevention requires validating redirect destinations against an allowlist of trusted URLs or domains.

OpenAPI (formerly Swagger) is a standard, language-agnostic interface description for HTTP APIs that allows both humans and machines to understand service capabilities without source code access. An OpenAPI document describes endpoints, parameters, request/response schemas, and authentication. Tooling generates client SDKs, server stubs, interactive documentation, and contract tests from OpenAPI specs.

The OpenSSF is a Linux Foundation project that brings together industry leaders to improve the security of open-source software. It hosts projects like Scorecard (security health metrics), Alpha-Omega (targeted vulnerability research), and the Sigstore signing infrastructure. OpenSSF also maintains best practices badging and security training resources for OSS maintainers.

OpenTelemetry is a CNCF project providing vendor-neutral SDKs, APIs, and a collector for generating and exporting telemetry data (traces, metrics, logs) from applications. It standardizes instrumentation so that a single codebase can send telemetry to any backend (Datadog, Jaeger, Prometheus, etc.) by changing configuration rather than code. OpenTelemetry has become the industry standard for observability instrumentation.

Opsgenie (now part of Atlassian) is an incident management and on-call scheduling platform that routes alerts from monitoring systems to the right team members based on schedules, escalation policies, and routing rules. It integrates with hundreds of monitoring tools and provides a mobile app for acknowledging and resolving alerts while on-call.

In microservices, orchestration uses a central coordinator (orchestrator) to direct the sequence of service calls for a business process. The orchestrator knows the workflow logic and explicitly calls each service in the correct order. Unlike choreography, orchestration provides clear visibility into workflow state but creates coupling to the orchestrator service.

An ORM maps database tables to programming language objects, allowing developers to interact with databases using familiar object-oriented syntax instead of raw SQL. ORMs handle query generation, relationship mapping, and migrations. Popular ORMs include Prisma (TypeScript), SQLAlchemy (Python), and Hibernate (Java).

OSV is a distributed vulnerability database for open-source software, initiated by Google, that aggregates vulnerability data from ecosystem-specific sources like GitHub Advisory Database, PyPI Advisory Database, and RustSec. It uses a machine-readable JSON schema that links vulnerabilities to precise affected version ranges for packages across multiple ecosystems. The OSV.dev API enables tools to query vulnerability status for any open-source dependency.

Output encoding converts potentially dangerous characters into safe representations before rendering data in a specific context — HTML encoding for HTML output, JavaScript encoding for script contexts, URL encoding for query parameters. It is the primary defense against XSS attacks by ensuring that attacker-controlled data is always treated as content, never as executable code. Context-aware encoding is essential: the encoding needed for HTML body differs from that needed for HTML attributes or JavaScript strings.

OWASP is a nonprofit foundation that produces freely available articles, methodologies, tools, and technologies in the field of application security. The OWASP Top 10 is the de facto standard list of the most critical web application security risks. Security teams reference OWASP resources to establish secure coding standards and training programs.

The OWASP Top 10 is a regularly updated consensus list of the ten most critical web application security risks. It is based on data from hundreds of organizations covering thousands of real-world applications. The list informs developer training, secure code review checklists, and tool coverage requirements, and is widely referenced in regulations and compliance frameworks as a baseline for web application security.

OWASP ZAP is an open-source web application security scanner maintained by the OWASP Foundation. It functions as an intercepting proxy and automated scanner capable of detecting a wide range of vulnerabilities including XSS, SQL injection, and security misconfigurations. ZAP's REST API and Docker integration make it suitable for automated security testing in CI/CD pipelines as part of a DAST strategy.